Study: U.S. Workers Behave a Little More Securely

While there are some problems with IT security in the U.S., Americans in general have
better security behavior to prevent data loss than other parts of the world. That's a
general finding in a new report sponsored by Cisco that asked 2,000 globally dispersed
professionals about their views on behaviors that could lead to data leakage.

The study focused on behaviors of users and perceptions of IT owners and comes at a
time when Vice Presidential candidate Governor Sarah Palin (R-AK) became the victim of an
e-mail hack that could have led to data loss. Palin's experience, though is not
indicative of the behaviors of U.S. IT users on the whole, who are doing better than most
of their counterparts around the world when it come to doing the right thing for
security.

"Based on study, I agree that in general if you look through the data it appears that
U.S.-based IT users have better behaviors that might contribute to less data loss
issues," Fred Kost, director of security solutions at Cisco told InternetNews.com.
"And IT clearly perceives that they have better control."

Kost added that the Cisco sponsored study did not measure whether there was a direct
connection between better behaviors and actual data loss events. That said, Kost argued
that better behaviors do lessen the risk.

So what are some of the better IT behaviors?

One of them is using corporate-owned assets to communicate with personal e-mail. In
the U.S., 39 percent of respondents admitted to using their company owned computer for
personal e-mail while in Germany the figure was 47 percent, India 58 percent and in China
a whopping 61 percent.

Another bad behavior that Cisco asked about is whether users admitted to changing
security settings on a company issued computer. In the U.S., only two percent of
respondents admitted to changing security settings. Other countries scored significantly
worse with nine percent in the UK, 10 percent in France, 20 percent in India and a
staggering 42 percent in China admitting that they changed security settings.

The majority (52 percent) of users globally that changed their security settings did
so to visit a Web site that they wanted to view that was not allowed by their company's
policy. At a core level, IT professionals reported that it is the un-authorized use of
applications and Web sites that leads to data loss incidents.

"So the very thing that IT is putting in place to protect end users is being
disabled," Kost said. "A lot of this is about users and IT trusting each other to do the
right thing."

In the case of Governor Palin, Kost noted that her case highlights the blurring of the
personal and business use of e-mail.

"If I'm using Yahoo to access my personal e-mail on a computer that I also access my
corporate e-mail on my behavior on Yahoo could propagate risk to the corporate side of my
computer," Kost said.

Kost added that the social engineering risk is also something to consider as well,
since the disclosure of even small bits of personal information could lead to a wider
data loss issue.

"The Palin case highlights both the social engineering risk and also the use of work
and personal e-mail," Kost commented. "I can't say if we'd had an increase in people
inquiring about e-mail security directly as a result of Palin, but it defiantly
highlights the risk that people may not perceive as risk."

Overall, Kost noted that the personal use of applications are creating risk though
there are some technology things IT administrators can do about to protect users. The key
is all about balance.

"If IT locks everything down and doesn't give users any freedom then users will work
harder to break the rules or deviate from policy," Kost said. "So there is a balance
there and keeping users educated and building up the trust is critically important."